Android Testing
This guide covers Android application penetration testing. Where possible, I have included procedures from Android 5 - 13. I use rooted Pixel devices during any penetration testing engagments, as well as Corellium virtual device as needed.
Android Security
With each major Android release, Google updates the developer security guide. This guide describes the overall implementation of security features - both hardware and software - for the latest release. To fully understand the security features of Android, it is recommended that you read through the security guide.
The latest guide is located at: https://developer.android.com/topic/security/best-practices
OWASP Mobile Top 10 (2016)
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
OWASP Mobile Testing Guide
OWASP produces a very good mobile application penetration testing guide. It covers both Android & iOS, and is frequently updated. For a more complete guide of testing procedures, I highly recommend that you use the OWASP guide during any testing engagements!